CVE-2025-14917

| EUVD-2025-209021 MEDIUM
2026-03-25 ibm GHSA-436f-fmh9-32gq
6.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Mar 25, 2026 - 20:32 euvd
EUVD-2025-209021
Analysis Generated
Mar 25, 2026 - 20:32 vuln.today
Patch Released
Mar 25, 2026 - 20:32 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:13 nvd
MEDIUM 6.7

Tags

IBM Information Disclosure

Description

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expected security when administering security settings.

Analysis

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3 contain a vulnerability in security settings administration that could allow authenticated attackers with high privileges to bypass expected security controls and gain unauthorized access to sensitive information. The vulnerability affects a critical administrative interface and, while it requires local access and high privileges to exploit, could enable lateral privilege escalation or information disclosure within enterprise environments. No evidence of active exploitation or public proof-of-concept has been reported, but a vendor patch is available.

Technical Context

This vulnerability relates to CWE-1393 (Weak Security Settings Administration), which describes improper enforcement of security policies during configuration and administration of security parameters. IBM WebSphere Application Server Liberty (confirmed via CPE cpe:2.3:a:ibm:websphere_application_server_-_liberty) is a lightweight application server framework used to deploy Java-based enterprise applications. The affected versions (17.0.0.3 through 26.0.0.3) span a significant release history, suggesting the vulnerability is rooted in how the administrative console or configuration framework validates and applies security-related settings. The weakness likely exists in the security realm configuration, user role mapping, or permission enforcement logic that governs who can access what resources within the application server.

Affected Products

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3 (inclusive) are affected, as confirmed by the CPE identifier cpe:2.3:a:ibm:websphere_application_server_-_liberty. This broad version range spanning approximately 9 major releases suggests the vulnerability has existed in the codebase for an extended period. Organizations running any version within this range should be considered in scope. Refer to the IBM support page at https://www.ibm.com/support/pages/node/7267362 for detailed patch information and affected build numbers.

Remediation

Apply the security patch provided by IBM at https://www.ibm.com/support/pages/node/7267362, which addresses the vulnerability in all affected versions. Upgrade to a patched release within the 17.x, 18.x through 26.x lines (exact patch versions are available in the IBM advisory). Until patching is completed, enforce the principle of least privilege by restricting administrative console access to a minimal set of trusted administrators, disable non-essential administrative features if available, and ensure all administrative access is logged and monitored. Consider implementing network-level access controls to limit who can reach the WebSphere Liberty administrative interfaces (port 9080 or 9443 by default). Test patches in a staging environment before production deployment to ensure compatibility with existing security configurations.

Priority Score

34
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +34
POC: 0

Share

CVE-2025-14917 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy